[LINK] Consumer Credit-Card Risks
Roger.Clarke at xamax.com.au
Wed Jan 13 10:11:25 AEDT 2010
I'm continuing to work on the question of contactless cards. I've
had a prompt response from Visa, including some useful info. I've
not yet had any information from MasterCard or ASIC.
It continues to appear that no risk assessment or risk management
plan from the consumer's perspective exists, and that at no stage has
consultation been undertaken with reps of and advocates for the
On a related matter ...
[If anyone detects anything materially wrong or misleading in the
analysis that follows, I'd appreciate a prompt kick in the head, as
brief as you like, on-list or off-list as appropriate. Nudge, nudge,
An article headed 'Security under the microscope' appears in the
Money Manager segment of the SMH today, and presumably of The Age.
(If that section is on the Web, it's well-hidden).
The article provides a half-decent examination of the upgrades to
security that Visa, MasterCard and issuers have been making,
including contact-based chips and one-time passwords (referred to in
the article as 'unique transaction codes').
Many of us have been arguing for years that the financial services
sector has been very lax in not upgrading security.
The figures in the article suggest that, worldwide, 285 million data
breaches occurred in 2008, 98% involving payment card data. In
Australia in FY 08-09, APCA said there were 531,000 fraudulent
transactions resulting in losses of $180 million.
Those losses are borne almost entirely by merchants. (Financial
institutions issue chargebacks to merchants. So they only bear the
loss if the merchant has disappeared, e.g. gone bankrupt, before the
chargeback is issued. Kiwibank's CEO declared his bank had lost
$1,000 in 2006-07 I think it was).
But there's also a large volume of undiscovered fraud that is borne
by consumers who fail to reconcile their accounts, are too lazy to
pursue mysterious transactions with their financial services
provider, or fail to sustain their concentration long enough to last
through their financial institution's processes - which can be
tortuous and very long-winded.
(In 2009, in order to force NAB to credit me back $70 fraudulently
charged to my card in northern Slovakia, I had to have knowledge of
how to read an EFTS terminal data-dump. 'Yer average mug punter'
would have given up and copped the loss. A key reason I hung in
there for a mere $70, and forced a chargeback against the
fraudster/service-station-operator, was that I'm a consultant,
researcher and expert witness in relation to such matters, and hence
could justify the effort involved as research).
The contact-based chip and one-time password initiatives do appear to
be much more effective security features, and are very much to be
The SMH article doesn't mention two aspects of serious concern:
- contactless cards
- other transactions in which no authentication is undertaken as to
whether the person presenting the card is authorised to do so.
Visa tells me that this category is a lot more widespread that
I'd realised, and has been expanding since about 2004. Visa tells
me that I'm a rare bird never to have done one in a car-park, and
that there are many other merchant-categories with such terminals.
So ... my concerns are now much wider than contactless cards, and
include all of those transaction-types.
Finally, a quote in the article seems very strange to me.
Visa GM Chris Clark is quoted as saying:
"The [contact-based] chip produces *an algorithm* that *authenticates
the user* once only. The next time it is used its interaction with
the terminal generates *a new algorithm*. That process makes it much
harder to copy customer details" (emphases added).
Firstly, surely the chip generates a new number, not a new algorithm.
I can understand attempts to simplify complex technology, or
re-express it in ways consumers will understand (e.g. maybe pilots
with consumers have shown that they can grasp 'unique transaction
code' better than 'one-time password').
But is the seemingly incorrect word 'algorithm' really easier for
consumers than a seemingly more appropriate term such as 'number',
'code', 'one-time password' or 'unique transaction code'?
Secondly, and much more importantly, the one-time code that's
generated authenticates *the card* (or, more correctly, *the chip*).
It's materially misleading to say that it "authenticates the user".
That can only be done through the use of something the person, and
only that person, 'has, knows, is, or is now'. Having the card isn't
enough, because the card can find its way into the hands of an
I'd have been disappointed if a nominally specialist reporter made
such an error, but I think it's remarkable, and pretty poor, that the
Visa GM appears to have made the mistake.
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link